Page 1115 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1115

Exam Essentials


               Understand the importance of security assessment and
               testing programs. Security assessment and testing programs
               provide an important mechanism for validating the ongoing

               effectiveness of security controls. They include a variety of tools,
               including vulnerability assessments, penetration tests, software
               testing, audits, and security management tasks designed to validate
               controls. Every organization should have a security assessment and
               testing program defined and operational.

               Conduct vulnerability assessments and penetration tests.
               Vulnerability assessments use automated tools to search for known

               vulnerabilities in systems, applications, and networks. These flaws
               may include missing patches, misconfigurations, or faulty code that
               expose the organization to security risks. Penetration tests also use
               these same tools but supplement them with attack techniques where
               an assessor attempts to exploit vulnerabilities and gain access to the

               system.

               Perform software testing to validate code moving into
               production. Software testing techniques verify that code functions as
               designed and does not contain security flaws. Code review uses a peer
               review process to formally or informally validate code before
               deploying it in production. Interface testing assesses the interactions
               between components and users with API testing, user interface

               testing, and physical interface testing.

               Understand the difference between static and dynamic
               software testing. Static software testing techniques, such as code
               reviews, evaluate the security of software without running it by
               analyzing either the source code or the compiled application. Dynamic
               testing evaluates the security of software in a runtime environment
               and is often the only option for organizations deploying applications

               written by someone else.

               Explain the concept of fuzzing. Fuzzing uses modified inputs to
               test software performance under unexpected circumstances. Mutation
   1110   1111   1112   1113   1114   1115   1116   1117   1118   1119   1120